Eric,<br><br><div class="gmail_quote">On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert <span dir="ltr"><<a href="mailto:ejs@shubes.net" target="_blank">ejs@shubes.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On 05/31/2013 05:41 PM, Lisa Kachold wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
Nginx has some pretty serious security issues, so be sure that you<br>
implement it with all the patches and complete recommendations:<br>
<br>
</div><a href="http://nginx.org/en/security_advisories.html%C3%82" target="_blank">http://nginx.org/en/security_<u></u>advisories.htmlÂ</a><br>
</blockquote>
<br>
The current version in CentOS4 is not susceptible to any of these vulnerabilities. Good to check though.</blockquote><div><br></div><div>Yes, Shubes! Don't even blink! Every day another exploit is announced! excerpts:</div>
<h2 class="dek" style="padding:0px;font-size:1em;font-family:Arial,Helvetica,sans-serif;background-image:none;background-color:rgb(255,255,255);line-height:16px;margin:10px 0px 20px 4px!important;background-repeat:no-repeat no-repeat">
<span style="font-weight:normal">Anonymous hackers behind the Cdorked malware that targets Apache servers now have extended their exploit to infect open-source Nginx and Lighttpd server software.</span></h2><div><a href="http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/">http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/</a> This integer overflow fails over so you can do just about whatever you like; especially with the right tools:</div>
<div><br></div><div><a href="http://exploitsdownload.com/search/nginx/">http://exploitsdownload.com/search/nginx/</a></div><div><br></div><div>Old stuff from 2010: "A noobs guide to hacking Nginx" <a href="http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/">http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/</a></div>
<div><br></div><div><span style="font-size:13px;font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)">Nginx Tuesday announced the </span><a href="http://nginx.org/en/" style="font-size:13px;outline:none medium;color:rgb(0,59,176);font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)">release of nginx-1.4.1</a><span style="font-size:13px;font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)"> -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a </span><a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html" style="font-size:13px;outline:none medium;color:rgb(0,59,176);font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)">security advisory</a><span style="font-size:13px;font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)"> issued Tuesday, Nginx said </span><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028" style="font-size:13px;outline:none medium;color:rgb(0,59,176);font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)">the bug</a><span style="font-size:13px;font-family:arial,helvetica,sans-serif;line-height:18.1875px;background-color:rgb(255,255,255)"> is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said.</span> </div>
<div><br></div><div>Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that if a vulnerability exists with a patch available, the Nginx installed is going to include that security fix. </div><div><br>
</div><div>CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and the Nginx security issues are all the standard browser stack vulns (stack smash, XSS, remote code execution, escalated privs). Of course there are also a few implementation security issues - that seem like nice hacks on the front side until - well, your site is defaced: <a href="http://www.theadminzone.com/forums/showthread.php?t=99536">http://www.theadminzone.com/forums/showthread.php?t=99536</a></div>
<div><br></div><div>It's really rather outrageous that Apache has dominated this space for so long, when slimmed down httpd servers and reverse proxies do the job so much better, especially in 3/4 tiered environments with J2EE, is it not? </div>
<div><br></div><div>Nginx: </div><div><br></div><div><a href="http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/">http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/</a></div>
<div><br></div><div>I personally still favor the custom compiled Apache2 with vastly scaled down binary size (dynamic module stripping) and custom server signature [replacing "Apache2 $version" with "$customstring $version" which IS allowed under the Apache2 license] (to reduce fingerprinting - and therefore also limit script kiddies - if we can't mitigate everything let's obfuscate!. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
<br>
-- <br>
-Eric 'shubes'<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br></div><div><div>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/d/" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>